<html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-15"> </head> <body text="#000000" bgcolor="#FFFFFF"> Hello People. We are currently exploring the possibility to use libvirt and kvm/quemu for production purposes. The general stability seems good enough and the performance is great. There are some issues we do not understand here yet. For security reasons we are considering the extensive use of Networkfilters for virtual machines. But we found some simple scheme for a test-server not to be working as we expected. It might well be that we misunderstand something here, so I am hoping someone could point out to us, where either we or perhaps libvirt failed in this example. We are using an ubuntu 13.04 Server running the provided "1.0.2-0ubuntu11.13.04.2" libvirt-bin using amd64-architecture. The type of VM should not be relevant for this problem. Its a linux-based xmpp-Server which uses ucarp. I reduced the used filter-file just so i could prove my point. It contains: <filter name='linux-based-xmpp-server' chain='root'> <uuid>fb539996-eed5-11e2-8bd3-00e081e0f040</uuid> <rule action='accept' direction='in' priority='999'> <tcp state='NEW' dstportstart='5222'/> </rule> <rule action='accept' direction='in' priority='999'> <tcp state='NEW' dstportstart='5269'/> </rule> <rule action='accept' direction='inout' priority='999'> <ip dstipaddr='224.0.0.18' proto='112'/> </rule> <rule action='reject' direction='inout' priority='999'> <all/> </rule> </filter> Practically it should allow TCP-traffic on Ports 5222,5269 incoming and incoming and outgoing traffic for ip protocol 112 to destination ip 224.0.0.18 (VRRP used by ucarp). All other traffic should be rejected. There is only one VM on the system and the VM has this ruleset attached. Note: It is clear to me that this example won't work as areal world example, because packets of the state ESTABLISHED,RELATED are not allowed through the firewall. I removed these rules because they where in a filter-file i referenced. After reloading the libvirt-bin i do get part of the rules in would expect in iptables: Chain FI-vnet0 (1 references) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FO-vnet0 (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5269 state NEW REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain HI-vnet0 (1 references) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable What is missing is any reference to the rule for ucarp (protocol 112). Please note though that removing the protocol and just allowing any ip traffic to 224.0.0.18 as a rule, does not appear in the iptables either. Am i misunderstanding anything here? Is there a bug in libvirt? How do you interpret this? Do you know of any other way to achieve the simple ruleset intended? I am hoping to get more information from this list. If you are replying, please cc me (<a class="moz-txt-link-abbreviated" href="mailto:matthias.babisch@bmiag.de">matthias.babisch@bmiag.de</a>), because i receive this list as a digest. Sincerely Matthias Babisch IT/Organisation b+m Informatik AG Rotenhofer Weg 20 24109 Melsdorf T +49 4340/404-1444 F +49 4340/404-111 M +49 160/8866426 <a class="moz-txt-link-abbreviated" href="mailto:matthias.babisch@bmiag.de">matthias.babisch@bmiag.de</a> Aktuelle Informationen unter <a href="%5C%22http://www.bmiag.de%5C%22">www.bmiag.de</a> Die b+m Informatik AG ist ein Unternehmen der <a href="%5C%22http://www.allgeier-holding.de%5C%22">Allgeier Gruppe</a> Vorsitzender des Aufsichtsrates: Dr. Marcus Goedsche Vorstand: Dipl-Ing. Frank Mielke Amtsgericht Kiel, HRB 5526 </body> </html>